Why You Need A Current HIPAA Risk Analysis

Why You Need A Current HIPAA Risk Analysis

Conducting a HIPAA risk analysis is the first step in identifying the risks in your organization. The Department of Health and Human Services (HHS) requires healthcare organizations and their third-party vendors that create, receive, maintain or transmit identify risks and vulnerabilities that effects electronic protected health information (e-PHI)

Once the risks have been identified it is imperative to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Failure to implement the appropriate security measures leaves your organization vulnerable and that’s not a good place to be.

HIPAA Risk Analysis Audit Results

In December 2020, HHS Office of Civil Rights released their 2016 – 2017 HIPAA Audit Industry Report. The audit included 150 healthcare organizations (55% were provider) and 41 third-party vendors (14% were billing & claims).

The results for healthcare [organizations and third-party vendors audited were: 

  • Security Risk Analysis – OCR found less than 20% fulfilled their regulatory responsibilities to safeguard electronic PHI (ePHI) through risk analysis activities. 
  • Risk Management Standards – OCR found that because both healthcare providers and their third-party vendors failed to conduct appropriate risk analyses, they were then unable to connect their security plans to the management of identified risks. An overwhelming percentage of healthcare providers (94%) and third-party vendors (88%) failed to implement appropriate risk management activities.

Clues Found in the Audit Report

OCR found that both providers and third-party vendors failed to implement effective risk analysis and risk management activities to safeguard ePHI. As a result of these findings likely to draw closer scrutiny from investigators during breach and individual complaint investigations.

Providers and third-party vendors should consider the following takeaways from OCR’s audit findings:
 
  • Conduct a security risk analysis of the potential risks and vulnerabilities to ePHI – Providers and their third-party vendors are responsible for maintaining an appropriate and current risk analysis consistent with policies, procedures, and changes in their environment, operations, or security incidents. 
  • Implement appropriate risk management strategies – providers and their third-party vendors must focus on their security risk analysis findings to inform and link their security plans to the management of identified risks. 

Why Does It Matter?

Your HIPAA Risk Analysis helps you measure the impact of threats and vulnerabilities that pose a risk to the PHI in your organization.

While there is no single method or “best practice” that guarantees compliance; however, most HIPAA Risk Analysis and risk management processes have these steps in common.

Your HIPAA Risk Analysis should include, but is not be limited to, the following activities:

  1. Evaluate the likelihood and impact of potential risks to your ePHI.
  2. Implement appropriate security measures to address the risks identified in your HIPAA Risk Analysis.
  3. Implement appropriate security measures to address the risks you identified in your HIPAA Risk Analysis.
  4. Document the chosen security measures and, where required, the rationale for adopting those measures.
  5. Maintain continuous, reasonable, and appropriate security protections.
  6. The results of your HIPAA Risk Analysis will be used to determine reasonable and appropriate security measures for your organization.

Remember: ANY change made to the hardware, software and/or medical devices used to create, receive, maintain, or transmit, an organization’s PHI requires an update to the HIPAA Risk Analysis.